我们正尝试使用Anchore Engine Jenkins插件扫描Docker图像。
当前,我们创建应用程序docker映像,将其推送到我们自己的私有本地注册表中,然后将其部署到我们的测试环境中。
现在,我们要在CI / CD流程中设置docker图像扫描,以检查是否存在任何漏洞。
我们已使用文档链接中提供的推荐的Docker-Compose yaml方法安装了Anchore Engine: https://anchore.freshdesk.com/support/solutions/articles/36000020729-install-on-docker-swarm
安装后,我们安装了
Jenkins中的Anchore容器图像扫描仪插件。
我们按照文档链接中所述配置了插件: https://wiki.jenkins.io/display/JENKINS/Anchore+Container+Image+Scanner+Plugin
但是,扫描失败。错误消息如下:
2018-10-11T07:01:44.647 INFO AnchoreWorker Analysis request accepted, received image digest sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8
2018-10-11T07:01:44.647 INFO AnchoreWorker Waiting for analysis of 10.180.25.2:5000/hello-world:latest, polling status periodically
2018-10-11T07:01:44.647 DEBUG AnchoreWorker anchore-engine get policy evaluation URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true
2018-10-11T07:01:44.648 DEBUG AnchoreWorker Attempting anchore-engine get policy evaluation (1/300)
2018-10-11T07:01:44.675 DEBUG AnchoreWorker anchore-engine get policy evaluation failed. URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true, status: HTTP/1.1 404 NOT FOUND, error: {
"detail": {},
"httpcode": 404,
"message": "image is not analyzed - analysis_status: not_analyzed"
}
注意:
在映像标签10.180.25.2:5000/hello-world:latest中,10.180.25.2:5000是我们的本地私有注册表,hello-world:latest是docker hub中可用的最新hello-world映像,我们将其拉入并推入注册表以尝试使用Anchore进行映像扫描-引擎。
很遗憾,我们无法在线找到太多资源来尝试解决上述问题。
可能曾经在Anchore-Engine上工作过的任何人,请请求我看看并帮助我们解决此问题。
此外,对于锚定引擎的任何建议或替代方案或详细步骤,以防万一我们可能错过了任何事情。
输出结果如下:
2018-10-15T00:48:43.880 WARN AnchoreWorker anchore-engine get policy evaluation failed. HTTP method: GET, URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true, status: 404, error: {
"detail": {},
"httpcode": 404,
"message": "image is not analyzed - analysis_status: not_analyzed"
}
2018-10-15T00:48:43.880 WARN AnchoreWorker Exhausted all attempts polling anchore-engine. Analysis is incomplete for sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8
2018-10-15T00:48:43.880 ERROR AnchorePlugin Failing Anchore Container Image Scanner Plugin step due to errors in plugin execution
hudson.AbortException: Timed out waiting for anchore-engine analysis to complete (increasing engineRetries might help). Check above logs for errors from anchore-engine
at com.anchore.jenkins.plugins.anchore.BuildWorker.runGatesEngine(BuildWorker.java:480)
at com.anchore.jenkins.plugins.anchore.BuildWorker.runGates(BuildWorker.java:343)
at com.anchore.jenkins.plugins.anchore.AnchoreBuilder.perform(AnchoreBuilder.java:338)
at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:81)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
at hudson.model.Build$BuildExecution.build(Build.java:206)
at hudson.model.Build$BuildExecution.doRun(Build.java:163)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
at hudson.model.Run.execute(Run.java:1724)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:421)
我还检查了状态,并在以下位置找到了
:docker run anchore/engine-cli:latest anchore-cli --u admin --p admin123 --url http://172.18.0.1:8228/v1 system status
Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up
Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up
Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): down (unavailable)
Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up
Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up
Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up
引擎数据库版本:0.0.7 引擎代码版本:0.2.4
服务策略引擎似乎已关闭
服务policy_engine(dockerhostid-anchore-engine,http://anchore-engine:8087):关闭(不可用)
我还检查了docker日志。我发现以下错误:
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [DEBUG] service (policy_engine) starting in: 4
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [INFO] Registration complete.
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [INFO] Checking feeds client credentials
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [DEBUG] Initializing a feeds client
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [bootstrap] [DEBUG] init values: [None, None, None, (), None, None]
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [bootstrap] [DEBUG] using values: ['https://ancho.re/v1/service/feeds', 'https://ancho.re/oauth/token', 'https://ancho.re/v1/account/users', 'anon@ancho.re', 3, 60]
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [urllib3.connectionpool] [DEBUG] Starting new HTTPS connection (1): ancho.re
[service:policy_engine] 2018-10-15 09:37:50+0000 [-] [bootstrap] [ERROR] Preflight checks failed with error: HTTPSConnectionPool(host='ancho.re', port=443): Max retries exceeded with url: /v1/account/users/anon@ancho.re (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7ffa905f0b90>: Failed to establish a new connection: [Errno 113] No route to host',)). Aborting service startup
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore_manager/cli/service.py", line 158, in startup_service
raise Exception("process exited: " + str(rc))
Exception: process exited: 1
[anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] service process exited at (Mon Oct 15 09:37:50 2018): process exited: 1
[anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] exiting service thread
感谢和问候,
罗汉·谢蒂
答案 0 :(得分:0)
将图像添加到锚定引擎时,它们会排队等待分析,然后将其移动到一个简单的状态机中,该状态机以“ not_analyzed”开头,转到“ analyzing”,最后以“ analyzed”或“ analysis_failed”结束。只有当图像达到“已分析”时,才可以进行政策评估。
anchor Jenkins插件将添加一个图像,然后轮询引擎以获取图像状态/评估以获取配置的尝试次数(默认为300)。一旦图片进入“分析”状态(可以进行策略评估),插件就会从引擎接收策略评估结果。
如果已执行最大重试并且图像尚未达到“分析”,则插件将使构建失败(默认情况下),如果图像确实达到“已分析”,但策略评估产生“失败”结果(表示图片未通过您配置的策略检查)。请注意,所有构建失败行为都可以在插件中进行控制(即,即使分析或图像评估失败,也存在允许插件成功运行的选项)。
您需要查看构建运行输出的末尾(而不仅仅是发布后的开始),并结合以上信息,应该清楚是哪种情况导致了插件失败。构建。
答案 1 :(得分:0)
我们已经解决了这个问题。
根本原因:
我们无法从锚引擎docker容器内建立与URL https://ancho.re的成功https连接。 结果是service:policy_engine无法启动。
https://ancho.re需要下载策略提要并定期同步。没有这些政策,锚定引擎将无法分析docker映像。
解决方案:
1)我们在定位引擎的docker-compose.yaml中传递了HTTPS_PROXY URL作为环境变量。
我们使用此代理URL绕过我们环境中的限制,并与https://ancho.re url建立连接。
2)重新启动docker容器。
最后,我们启动并运行了包括Anchore策略引擎在内的所有服务。
仅供参考: 根据您的互联网速度,下载所有必需的Feed会花费一些时间。
最后,感谢Anchore社区的快速响应和对松弛的支持。
希望这会有所帮助。
温馨提示
罗汉·谢蒂